Background
The System Software Version for the WorkCentre 4265 contains cumulative updates that incorporate security vulnerability fixes up through 30 September 2014 as well as other non-security related defect fixes. This release is Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

The system software release for the product listed below is designed to be installed by the customer. Please follow the procedures contained in the bulletin to install the solution. The system software version is a full system release so the patch criticality rating is not applicable.

Background
The System Software Versions for the WorkCentre 3655 and WorkCentre 6655 are cumulative updates that incorporate security vulnerability fixes up through 28 January 2015 as well as other non-security related defect fixes. These releases are Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

The system software releases for the products listed below are designed to be installed by the customer. Please follow the procedures contained in the bulletin to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.

These software releases are compressed into zip files and can be accessed via the links below or via the links on www.xerox.com/security.

The system software release for the product is designed to be installed by the customer. Please follow the procedures contained in the bulletin to install the solution. The system software version is a full system release so the patch criticality rating is not applicable.

BackgroundA vulnerability has been discovered in the glibc library software that interacts with the Domain Name System (DNS). This vulnerability can allow attackers to remotely execute malicious code on a target system. A patch was issued two years ago but most Linux versions used in production systems remained unprotected. Patching requires a system restart so some servers may remain vulnerable for some time to come.

The System Software Versions for the WorkCentre 5845/5855/5865/5875/5890, WorkCentre 7220/7225, WorkCentre 7830/7835/7845/7855, ColorQube 8700/8900 and ColorQube 9301/9302/9303 models are cumulative updates that incorporate security vulnerability fixes up through 06 June 2014 as well as other non-security related defect fixes. These releases are Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

The system software releases for the products are designed to be installed by the customer. Please follow the links and procedures contained in the bulletin to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.

2014

Background
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.

Background
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.

A Bash Shellshock document addressing this vulnerability has been posted to the URL www.xerox.com/security.

Background This bulletin announces the availability of the following:
1.Bash Security Patch The Bash/Shellshock patch for FFPS is now available on the Xerox Download Server (aka DMS). The patch is available on the DMS server for all FFPS Releases v7, v8, and v9. (For FFPS v6 and DocuSP 5, refer to the section below). The patch is not mandatory but will be included in future Security Patch Cluster releases. This patch has no dependency on prior-released Security Patch Clusters.

2.Guide to Using the FFPS Software Update ManagerCustomers can download this patch from the Xerox Download Server and install on FFPS using the FFPS Software Update Manager. This feature is included in the FFPS v7, v8, and v9 software releases. Use of the Update Manager requires that the System Administrator has some Unix/Linux/Solaris skills, and experience starting the Command Line (terminal window) tool on the FFPS UI.
The announcement is here:http://www.xerox.com/information-security/information-security-articles-whitepapers/miss-enus.html

Patch Installation for FFPS v6 and DocuSP v5Because the FFPS Software Update tool is not available for the FFPS v6 and DocuSP v5 products, the patch must be provided by a Xerox CSE or Analyst. Please contact your local Xerox Service representative to request the patch file and if appropriate, schedule an action to have the patch installed. Because this patch is not mandatory and there is very little risk of vulnerability with FFPS, the action should be scheduled at a mutually-convenient time

Background
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.

A Bash Shellshock document addressing this vulnerability has been posted to the URL www.xerox.com/security.

BackgroundOracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

An SQL injection vulnerability exists that, if exploited, could allow remote attackers to insert arbitrary code into the applicable software application. If successful, an attacker could make unauthorized changes to, damage or delete database tables and values.

A set of software “hotfixes” for the software application listed below have been provided that removes this vulnerability. These “hotfixes” are designed to be installed by the customer. The software “hotfixes” are contained in .tar files for Linux and Solaris or .exe/. jar files for Windows and can be accessed via the link to the DocuShare Support & Software Page (http://www.support.xerox.com/support/xerox-docushare/software/enus.htm) or via the links in this bulletin.

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 441.3 MB zip file and can be accessed via the link in this bulletin document.

This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures below to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 378.1 MB zip file and can be accessed via the link in this bulletin.

2013

Xerox Security Bulletin XRX13-006 v1.3 (PDF 101.3K)November 07, 2013NOTE: This bulletin has been updated to correct software procedure error in the ColorQube 93XX devices. Contact Xerox Technical Support to obtain system software release 071.180.203.06400 and the instructions for installing this release; if your current system software release is 061.180.223.11601 or less there are interim steps that have to be followed before you can upgrade your device to system software release 071.180.203.06400. A new version of the bulletin will be published once the new information becomes available.

Cumulative update for Common Criteria CertificationSystem Software Versions listed below for the WorkCentre 5845/5855/5865/5875/5890, WorkCentre 7220/7225, WorkCentre 7830/7835/7845/7855 and ColorQube 9301/9302/9303 models are cumulative updates that incorporate security vulnerability fixes up through 06 March 2013 as well as other non-security related defect fixes. These four releases are Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

These system software releases for the products listed are designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.

These software releases are compressed into zip files and can be accessed via the links in the bulletin document.
.

Note: This bulletin has been re-issued to correct a typographical error in the URL string for one of the product ZIP files.

The Xerox products ColorQube 9201/9202/9203, WorkCentre 6400, WorkCentre 7525/7530/7535/7545/7556, and WorkCentre 7755/7765/7775 contain code for implementing a remote protocol that could be exploited to gain unauthorized access to the device.

The software release indicated in the bulletin will perform the following action:
Remove the affected code that unintentionally created the unauthorized access potential.

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

Xerox Security Bulletin XRX13-006 v1.2 (PDF 96.8K)June 27, 2013NOTE: The new version 1.2 of this bulletin has been updated to detail a software procedure error in the ColorQube 93XX devices. The process to update a ColorQube 93XX device to the Common Criteria Certified version of software may require an extra step depending on the current software version. The details are contained in the bulletin along with an updated link to the CCC version of software.

Cumulative update for Common Criteria CertificationSystem Software Versions listed below for the WorkCentre 5845/5855/5865/5875/5890, WorkCentre 7220/7225, WorkCentre 7830/7835/7845/7855 and ColorQube 9301/9302/9303 models are cumulative updates that incorporate security vulnerability fixes up through 06 March 2013 as well as other non-security related defect fixes. These four releases are Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

These system software releases for the products listed are designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.

These software releases are compressed into zip files and can be accessed via the links in the bulletin document(Xerox Security Bulletin XRX13-006 v1.2) above.
.

This system software release for the products listed is designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 237.9 MB zip file and can be accessed via the link below or via the link contained in the bulletin announcement on www.xerox.com/security.

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

Xerox Security Bulletin XRX12-005 V1.1 (PDF 103.3K)March 25, 2013
The Xerox devices ColorQube® 9201/9202/9203, ColorQube® 9301/9302/9303, WorkCentre® 232/238/245/255/265/275, WorkCentre® 5030/5050, WorkCentre® 5135/5150, WorkCentre® 5632/5638/5645/5655/5665/5675/5687, WorkCentre® 5735/5740/5745/5755/5765/5775/5790, WorkCentre® 6400, WorkCentre® 7525/7530/7535/7545/7556, WorkCentre® 7655/7665/7675, WorkCentre® 7755/7765/7775, WorkCentre® Bookmark 40/55, WorkCentre Pro® 232/238/245/255/265/275 were shipped with certain protocols enabled that, if properly exploited, could be used to gain
unauthorized access to the system. These particular protocols should not have been present in the production configuration and need to be removed from that configuration to minimize the possibility of unauthorized system access.

A software solution (patch P49) is provided for the products listed. This solution will remove from the production configuration the unwanted protocols in question so they can’t be exploited to gain unauthorized access to the system.

This solution is designed to be installed by the customer. The software solution is compressed into a 3 KB zip file and can be accessed via the link below or via the link following this bulletin announcement on http://www.xerox.com/security.

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 441.3 MB zip file and can be accessed via the link below or via the link following this bulletin announcement on www.xerox.com/security.

This system software release for the products listed is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 479.3 MB zip file and can be accessed via the link below or via the link inside the bulletin.

2012

Xerox Security Bulletin XRX12-011 v1.1 (PDF 86.6K)November 29, 2012Digital Signature of Software Upgrade Files
v1.1
NOTE: This bulletin was reissued at version 1.1 to remove the Phaser 3635MFP. An issue with the Phaser 3635MFP will be resolved in a future version of this bulletin.

The Xerox products Phaser 3600, Phasers 4600/4620 and the WorkCentre 3550 were shipped without the ability to accept software upgrade files with digital signatures. The ability to accept only software upgrade files with digital signatures has been added for the indicated products. In addition, the indicated products now include the software upgrade setting in the Configuration Report and have added the capability to enable/disable software upgrade via SNMP.

Firmware solutions that will now only accept software upgrades files with digital signatures have been provided. These solutions are designed to be installed by the customer. The firmware solutions can be accessed via the links below or via the links in this bulletin announcement on: http://www.xerox.com/security

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

NOTE: This bulletin has been re-issued to update file size and checksum information.

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

Xerox Security Bulletin XRX12-012 v1.0 (PDF 71.6K)October 08, 2012
The Xerox Phaser 7800 product was shipped with software upgrades enabled by default and with network protocols enabled that could be exploited to gain unauthorized access to the system.

NOTE: If Software Upgrade is currently disabled on the desired device. it must be enabled prior to installation of this software patch.

The software release indicated below will perform the following action:
• Change the default state of software upgrade to disabled. After installing this firmware/software, software upgrade will be
disabled. It can be re-enabled at the Web UI when necessary.
• Remove protocols that were not intended to be present in the production configuration.

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

Xerox Security Bulletin XRX12-004 V1.0 (PDF 64.5K)May 07, 2012
The vulnerability documented in CVE-2011-3192 exists in the Web Server of the WorkCentre 5135/5150, and the WorkCentre 5632/5638/5645/5655/5665/5675/5687 models. If exploited the vulnerability could allow remote attackers to create a Denial of Service on the device.

A software solution (patch P50) is provided below. This solution is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution to protect your product from possible attack through the network.

NOTE: We have released a new version of this bulletin to correct file size specifications and checksum information. No other technical information has been changed.

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Xerox customizes the patch deliveries as appropriate to each FFPS Product family, and tests the CPU patches on each supported SPAR Release prior to delivery. Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

Xerox Security Bulletin XRX12-003 v1.1 (PDF 185.5K)March 07, 2012NOTE: We are re-issuing this bulletin due to a spelling error of the name of one of the researchers. No technical content in the bulletin has changed.

Vulnerabilities exist that, if exploited, could allow remote attackers to insert arbitrary code into the device. This could occur with a specifically crafted Postscript or firmware job submitted to the device. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed.

As part of Xerox’s on-going efforts to protect customers, the ability to accept these specially crafted jobs can be disabled for the affected products listed in the bulletin. Links for the software needed are contained inside the bulletin.

This system software release for the products listed is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable. You may download the software using the link in the Bulletin or from here.

2011

Xerox Security Bulletin XRX11-004 (PDF 73.4K)October 07, 2011
A vulnerability exists that, if exploited, could allow remote attackers to bypass local authentication. This could occur with a specially crafted sequence of commands entered through the Web User Interface. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed. A patch file P48 is provided for the ColorQube 9301/9302/9301.> cert_CQ93xx_P48v1_Patch.zip(zip archive 9.3M)

Xerox Security Bulletin XRX11-003 (PDF 71.8K)August 28, 2011FreeFlow Print Server
Oracle July 2011 CPU OS and Security Patch Cluster (includes Java 6 Update 26 Software)Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Xerox customizes the patch deliveries as appropriate to each FFPS Product family, and tests the CPU patches on each supported SPAR Release prior to delivery. Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

Xerox Security Bulletin XRX11-002 (PDF 92K)March 25, 2011
A vulnerability documented in CVE-2010-2063 exists that, if exploited, could allow remote attackers to execute arbitrary code via specially crafted fields in a Service Message Block (SMB) packet. This could occur with buffer overflows in the Samba third-party code that handles file and printer sharing services for SMB clients (including Xerox MFD devices). If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed. This vulnerability affects only the printer sharing services.> Download the Software Update for the WorkCentre 5735/5740/5745/5755/5765/5775/5790(zip archive 1.4M)

Xerox Security Bulletin XRX11-001 (PDF 89.7K)February 04, 2011
A command injection vulnerability exists in the Web Server of the WorkCentre 7655/7665/7675. If exploited, the vulnerability could allow remote attackers to execute arbitrary code via carefully crafted inputs on the affected web page. Customer and user passwords are not exposed. A software solution (patch P45) is provided for the WorkCentre 7655/7665/7675.> Download the Software Update for the WorkCentre 7655/7665/7675(zip archive 1M)

Xerox Security Bulletin XRX10-003 (PDF 57.9K)November 29, 2010
Original Release June 18, 2010
System Software Version 021.120.060.00015 for the WorkCentre 5632-5687 Multi-Board controller and WorkCentre 5135/5150 models and System Software Version 025.054.060.00015 for the 5632-5655 Single Board controller models is a cumulative update that incorporates several security vulnerability fixes as well as other non-security related defect fixes. Both devices have been recertified to Common Criteria EAL Level 3. Both releases have been submitted for Common Criteria certification, which is expected to be completed by September 2010.> Download System Software Release for the Multi-Board Controller (MBC) products (zip archive 106.1M)

2009

Xerox Security Bulletin XRX09-004 (PDF 83.5K)September 18, 2009
Original Release September 1, 2009
An LPD protocol handling vulnerability exists in the firmware for the WorkCentre 7232/7242, the WorkCentre 7328/7335/7345/7346, and the WorkCentre 7425/7428/7435. If exploited, this vulnerability could cause a denial of service by crashing the device, although power cycling the device will recover from this attack. Customer and user passwords are not exposed.

Xerox Security Bulletin XRX09-003 (PDF 82.9K)January 22, 2009
Second Release September 29, 2009
Original Release August 28, 2009
A vulnerability exists in the web servers of the WorkCentre 5030/5050, the WorkCentre 5135/5150, the WorkCentre 5632/5638/5645/5655/5665/5675/5687, the WorkCentre 7655/7665/7675, the WorkCentre 6400, and the ColorQube 9201/9202/9203. If exploited when SSL is not enabled on the device, the vulnerability could allow remote attackers to obtain unauthorized access to device configuration settings, possibly exposing customer passwords

Xerox Security Bulletin XRX08-008 (PDF 39.1K)July 09, 2008
CentreWare Web has been found to be vulnerable to a set of potential SQL Injection and Cross Site Scripting vulnerabilities. If exploited, these vulnerabilities could allow an attacker to make unauthorized changes to CentreWare Web or asset data, or redirect user browsing sessions.

Xerox Security Bulletin XRX08-004 (PDF 1M)May 22, 2008
A persistent cross site scripting vulnerability exists in the web server of the WorkCentre 7132 and WorkCentre 7228/7235/7245. If exploited, this vulnerability could allow code injection by malicious web users into the web pages viewed by other users.